[Cryptography] "Trust in digital certificate ecosystem eroding"

Tom Mitchell mitch at niftyegg.com
Wed May 6 17:41:45 EDT 2015


On Tue, May 5, 2015 at 10:25 PM, grarpamp <grarpamp at gmail.com> wrote:

> > Browsers were being paid by CAs to include their certificate ...
> > so the CAs could sell certificates (paid for by merchants).
>
> Yes, the common downfall... what starts as a two party crypto game
> which works, devolves into a third party money game that fails.


Much of what worries me is in the hands of the big boys.
Fortune 500, Russell 2000,  Visa, Mastercard, S&P Banks Index
and yes ISPs and .gov

As a  moderately small group they should anchor their
web presence with an industry effort to protect
their DNS, https etc with improved tools. In addition
agencies like the FBI & DHS have a vested interest
in the stability of this rather modest set of critical business
activities.

Distributed audit tools and monitoring tools seem key.

Laws should make it astoundingly risky for businesses to
build firewalls and tools that compromise communication security
with impunity. Example... If a company intercepts banking transactions then
they have
a liability associated with that private information that cannot
(by law) be signed away as a condition of employment.

As a process there is a need for a framework that monitors
key infrastructure.   Some needs global attention...

It should also be difficult (illegal) for any TLA  to camp on a known to
them
software or hardware flaw.   They can whitehat report it without threat
or timeline but must report it inside of a legal window of time.




-- 
  T o m    M i t c h e l l
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150506/2355fcbb/attachment.html>


More information about the cryptography mailing list